Whether a healthcare organization is working toward Stage 1 or Stage 2 Meaningful Use, it is essential for the facility to remain aware of the latest EHR security concerns. As more entities become interconnected through health information exchanges, patient privacy and data security issues need to remain top priorities.
With the start of 2015, HealthITSecurity.com discussed some of the larger EHR security and Meaningful Use security concerns with industry leaders to see how organizations can remain on top of all federal requirements.
An EHR application itself might be secure, but that doesn’t mean that it’s necessarily being used in a secure way, according to Robert Zimmerman, co-founder of QIP Solutions.
“You have to use it, you have to put data in it, you have to run it, you have to manage it, and your staff has to use it,” said Zimmerman, who specializes in audit and compliance and used to work for Deloitte risk management.
The pressure for a secure EHR system really needs to come from the healthcare facilities that are using those tools on a daily basis, Zimmerman added.
“Security and privacy to me really has to be driven by the organizations demanding it, and putting it in their own culture,” he said. “If you wait for the vendors, obviously they have other business, and other motives that they have to be focused on.”
Ty Faulkner, MS, CHTS-TS, Health Informatics Technology Consultant and Adjunct Professor at Lawrence Technological University, agreed, adding that the push for strong EHR security is finally making its way to the corporate level. While it may be due in large part to the amount of healthcare data breaches occurring nation-wide, it is “making its way to the C-suite as a line item.” However, it isn’t fully budgeted at all organizations, he said.
Even so, more healthcare organizations are working from the inside out to ensure better EHR security, according to Faulkner.
“Thanks to tools like the ONC online assessment there’s a lot of [healthcare organizations] making attempts of at least doing an assessment,” he said. “That’s a big change over the last 12 months. Just the atmosphere of practices now, you do hear more and more discussion about the use of password protection and device management.”
Overall, there is definitely a more heightened sense of awareness in terms of EHR security, but to create better long-term options it needs to become a consistent budget item, Faulkner said. When EHR security can go beyond Meaningful Use incentive payments, which is when a true change can occur.
Understanding the security
It’s not enough to just type in a patient’s information to an EHR system. Healthcare leaders agreed that employees at all levels need to understand how the technology is changing and exactly what they need to do to best ensure privacy and security.
Another way that healthcare organizations have been improving on EHR and Meaningful Use security is through data encryption, according to Stash Jarocki, CISA, CISM, CRISC, Director of IT Security at Phoenix Children’s Hospital.
The entire culture of EHR security has changed at Phoenix Children’s, according to Jarocki. Data encryption is one key way that the facility has ensured better security in its mobile devices, such as laptop computers, used by staff members.
“It’s just a manual learning process,” Jarocki said of Meaningful Use requirements. “The catch all is that Meaningful Use does not immediately equate to ‘Meaningful Security,’ but that’s where you’d like to head. It’s a slow process and you have to be able to accept that.”
Moreover, Jarocki said that employees at all levels need to understand the data that they are managing and processing. It often goes beyond protected health information (PHI), as many providers have financial records, background information, and email addresses of patients. And in the case of children’s hospitals, there is patient data and the patients’ parents’ data.
“It’s a much bigger pool of information,” Jarocki said. “We’re continually emphasizing you’re not just guarding the child’s information, which is very important, but you’re also guarding the family information.”
Zimmerman also touched on the importance of organizations understanding the types of data and how it is being stored in various EHR systems.
“Even if you’ve done a good risk assessment, you have to ask ‘What am I going to do with my risk?’” he said. “That’s what organizations are wrestling with now. What do I really have to do to be secure?”
Healthcare organizations need to figure out what the top issues are that they need to tackle, and focus on them, according to Zimmerman. Whether it’s improving data encryption, creating strong passwords, improving physical security, or even gathering a better understanding of mobile devices being used, facilities need to know specific areas instead of the large amount identified with federal regulations.
Staying current on the latest EHR and MU security needs
As technology continues to evolve, federal requirements for ensuring data security will also change. EHR security and Meaningful Use security requirements are not something that a healthcare organization can do one time and forget about, which is why Faulkner suggested three key things for facilities to keep in mind.
First, healthcare organizations need to look at the EHR security process as if a breach has already happened.
“Don’t think it won’t happen to your practice or organization, instead, view it as if it’s already happened so the sense of urgency to do something is there,” Faulkner said. “Then, take it one step further: take it personally. Not only that a breach has happened, but that it’s your own data.”
The second step is to set aside between 2 and 3 percent of the annual budget toward EHR security needs. It should be relative to the size of the organization, Faulkner said. This is an important aspect that facilities cannot just “bootstrap” and hope for the best.
“The third thing is, this is not a do-it-yourself activity,” Faulkner said. “Unless you have the credentials and expertise – and happen to be a provider, which is rare – do not take it on. Hire the experts. You would never try to take on any of the other major events in your org like many practices are trying to do with privacy and security. This is one where you just have to go out and hire the experts.”
Zimmerman agreed that it’s important to work with other companies when it comes to creating a strong EHR security plan.
“It’s important to get someone to really help you with that road map, that direction, the assistance,” Zimmerman said. “It’s amazing how far organizations can go. This is something they don’t normally do, they don’t have the expertise.”
Communication throughout the entire healthcare industry is also important, according to Jarocki. There needs to be a stronger health information sharing aspect so organizations can understand ahead of time how to fix potential problems. It’s important for healthcare security and privacy issues to be thought through, Jarocki said, and the industry is just on the beginning edge of that.
The CHIME CIO Features is a collaboration between Xtelligent Media, LLC, and the College of Healthcare Information Management Executives (CHIME), featuring leading hospital and healthcare system CIOs and their experiences in health IT implementation and innovation. For more information about CHIME, visit CHIMEcentral.org.
The post Healthcare Leaders Discuss Latest EHR Security and MU Concerns appeared first on HealthITSecurity.com.